> I sort_of_assumed that PCR-18 would only be present if the policy
> verification passed, and would be different different (or all 0s) when the
> verification failed.
> This is a bit dangerous if anyone uses it.
You need to use "halt" policy.
> I think something simple like hashing "1" into it
On Mo, 2016-05-09 at 11:56 +0200, Jan Schermer wrote:
> I don't know what actual use a policy of type "nonfatal" is outside of testing
Neither do I. It's kind of unfortunate that most docs are using this
policy.
Martin
t?
Did you maybe use PCR 18 in your VLP? Check the --pcr option of your
tb_polgen command line.
Otherwise I don't know. You could check your tboot log for the detailed
PCR logs, and try to find out the difference.
Martin
>
> Jan
>
>
> > On 09 May 2016, at 11:01, martin
Hi Jan,
> So I want to use a signed policy, and use multiple policy data files for
> lifecycle management (e.g. when I need to upgrade to MLE but want to be able
> to "rollback" to a previous version if needed).
> Using a signed policy means I don't have to touch the NVRAM (which might
> break
On Fr, 2016-04-29 at 12:27 +0200, Jan Schermer wrote:
> Hello,
> can someone confirm my understanding and clarify my questions, please?
>
> 1) Launch control policy
> - protects tboot integrity (MLE)
> - can limit boot to certain PCRs
> - can I have multiple generations of LCPs i
